B
biyuexu
In a typical SOC environment, Tier 1 analysts are responsible for reviewing incoming security incidents. They're in charge of investigating and resolving non-critical alerts, including the identification of false positives. When a critical incident is detected, the Tier 1 analyst must quickly escalate it to the Tier 2 or 3 team for a more thorough investigation. In this case study, you will take on the role of a Tier 1 analyst and discover how Copilot for Security can support you throughout the investigation. It is a tool designed to enable you to assess and manage incidents with greater efficiency and effectiveness.
Let’s use a security incident in the Microsoft Defender XDR portal for our case study. As shown in the next screen capture, this high-severity incident involves three devices, four users and one email account. It consists of a correlation of 25 alerts generated by different Microsoft security solutions. This incident, titled 'Multi-stage incident involving Initial access & Lateral movement on multiple endpoints reported by multiple sources' appears complex, extensive, and intimidating.
As soon as you start examining this incident in the Microsoft Defender XDR portal, Copilot for Security is already present on the incident page, as shown in the next diagram. It automatically creates a summary of the incident, providing a clear overview of the attack. Additionally, it offers tailored guidance for responding to the incident through its Guided Response feature, which is also accessible on the incident page.
Rather than sifting through all 25 alerts in the incident to understand the attack, let’s review the summary provided by Copilot for Security first. You can copy the incident summary for further review using Copilot’s “Copy to clipboard” option. This feature is illustrated in the next screenshot.
For your reference, here is the full incident summary copied from Copilot:
As seen from the incident summary, Copilot for Security provides an overview of the incident that helps you to quickly understand the scope and impact of the attack. It groups the suspicious events into distinct attack stages, outlining the attack’s progression from initial access to lateral movement and persistent access. Each stage is detailed with specific timestamps and a concise summary of the events. In a typical investigation, the security analyst would need to create a similar incident outline manually. With Copilot, this process is now automated and much faster.
After reviewing the incident summary, it’s clear that this is a highly involved incident with multiple sophisticated attacks. As a Tier 1 analyst, your goal is to quickly assess the attacks, rule out the false positives, determine the impact of the incident, and decide whether it needs to be escalated. Let’s dive into some of the incident investigations and see how Copilot for Security can assist throughout the process.
Initial Access, Discovery, and Defense Evasion
The initial access occurs when the attacker gains entry into the target system or network. In this case, the attacker employs a common attack tactic by tricking the user to click on a malicious link, to establish the initial foothold within the user’s corporate network. The following excerpt is from the incident summary generated by Copilot.
Once an attacker gains access to the corporate network, he/she needs to gather information about the environment. For instance, running the Windows process “whoami.exe” to gather details about the current user’s identity and environment. Executing “whoami /groups” shows the groups to which the current user belongs, revealing user’s access level and permissions within the system. This process is documented during the Discovery phase.
So far, the attack techniques encountered are standard and frequently observed. For a Tier 1 analyst, these techniques are familiar and well-known, making the investigation relatively simple.
However, starting from the Defense Evasion phase, things may get a bit tricky. You see a process injection event in the alert:
What might “a process was injected with potentially malicious code” indicate? What’s a process injection? Let’s consult with Copilot for Security.
You can switch from the embedded experience of Copilot to its standalone mode. This allows you to ask Copilot more questions using its prompt feature. In the Microsoft Defender XDR portal, you may have noticed that there is an ellipsis right inside the Copilot pane. It offers several options for you, including the one “Open in Copilot for Security”. Selecting this option enables you to switch from the Copilot’s embedded experience to its standalone mode. This is shown in the next screen capture.
The “Open in Copilot for Security” feature also allows you to continue your current Copilot session in the standalone experience, preserving any ongoing work or context from the embedded experience. In this standalone mode, you can use the prompt feature to ask additional questions or seek further information, as shown in the next screenshot:
Prompt to Copilot for Security: Can you tell me more about DefenseEvasion: a process was injected with potentially malicious code on 'mb-winclient' (Windows10), involving the files 'ContosoADFSadmincreds.ps1', 'Midnight161.ps1'
The response from Copilot provides an overview of process injection and its characteristics:
The full Copilot response is displayed in the next screen capture:
The process injection overview may still be somewhat abstract. You can follow up with Copilot for a more detailed description using a prompt seen in the next screen capture.
The next diagram presents a portion of the response from Copilot for Security. With this response from Copilot, you have a better understanding of process injection.
The information from Copilot adds more context and insights for this alert, enabling you, the Tier 1 analyst, to start a more thorough investigation immediately.
Back to the Microsoft Defender XDR portal, analysts typically leverage the Defender for Endpoint Timeline feature to investigate the event that might have triggered the alert “A process was injected with potentially malicious code.” The next screenshot shows that in the Timeline, Defender XDR recorded a device event, “powershell.exe executed a script,”. This event led Defender for Endpoint to immediately detect and report “powershell.exe process contains suspicious patterns in AMSI content related to ‘Process Injection’ and other techniques.” This then leads to the triggering of the process injection alert.
Defender XDR also provides the detailed PowerShell process commands that you can ask Copilot to analyze, as shown in the next screen capture.
With Copilot’s information on process injection, and combining the details from the device events, especially that the PowerShell script was executed from the user’s downloads directory, it’s clear that this is likely a malicious attack rather than a false positive. The use of a more advanced technique of process injection suggests that this case should be escalated to the Tier 2 team for further investigation.
In Defender XDR’s Timeline feature, security analysts typically review device events that occurred around the time the security alert was triggered to identify any additional malicious activity. This process is both time-consuming and labor-intensive. But now Copilot for Security can handle the heavy lifting for you. Let’s return to the Copilot standalone environment and use its prompt feature to accomplish this.
The prompt seen in the next screenshot instructs Copilot for Security to use a Defender KQL query to retrieve all device process events from around the time of the process injection activity. It then asks Copilot to analyze these events for any signs of suspicious activity.
As shown in the next screen capture, Copilot has flagged a few events that are worth investigating further.
You can ask Copilot for Security to further investigate these events with additional prompts in Copilot’s standalone experience.
This investigation may take some time to finish. However, as a Tier 1 analyst, you have concluded that these are likely malicious events involving sophisticated attack techniques. The Tier 2 team will need to carry out a more in-depth investigation. In the meantime, you can move on to the next set of security alerts.
Credential Access
In the incident summary, Copilot for Security also mentions a suspected DCSync attack as part of Credential Access activity:
What is a DCSync attack? Rather than spending a lot of time researching it online, you can leverage Copilot for Security’s standalone experience to quickly get an idea of what it is and how it works.
The next screenshot displays the question you can ask Copilot, along with some of its responses.
Copilot for Security first provides an overview of the DCSync attack with some specific examples. It then walks you through the steps involved in a typical DCSync attack, as seen in the next snapshot.
After reviewing the information provided by Copilot for Security, you should have a better understanding of the key aspects of a DCSync attack and how it operates. If there are more questions or if further clarification is needed, you can always use Copilot’s prompt feature to gain additional insights.
Once you have a solid understanding of the DCSync attack, you can apply this knowledge to assist the security incident investigation. Back in the Defender XDR portal, when you examine the alert story for the “suspected DCSync attack” alert, you’ll likely notice something is off when the end user sends a replication request to a domain controller, as seen in the screen capture.
You can confirm your suspicion with Copilot by entering the following prompt in Copilot’s standalone mode:
As seen in the next screen capture, Copilot for Security confirms that “it is not common for a regular user on a Windows 10 device to send a replication request to a Domain Controller (DC). In a typical Active Directory environment, only Domain Controllers replicate data amongst themselves.”
At this point, you likely can confirm this is a true security incident, not a false positive. Given the nature of the attack, it will require further investigation by the Tier 2 team.
Without the help from Copilot for Security, researching and confirming whether suspicious behavior is truly malicious can be time-consuming and labor-intensive. However, with Copilot for Security, it is faster and more straightforward to confirm malicious activities. Additionally, its provided explanations offer more context, helping the Tier 1 analyst to assess the impact and severity of the incident. This enables the analyst to quickly decide if the incident needs to be escalated to the Tier 2 team or not.
Lateral Movement
In this same security incident, there is an alert for “an ongoing hands-on-keyboard attack via Impacket toolkit”:
While the description of the Impacket toolkit in the Microsoft Defender XDR portal is helpful, but for more detailed insight, you can turn to Copilot for Security’s standalone experience and ask:
Copilot provides a more thorough description of this toolkit:
It’s worth noting that in Copilot’s description of the toolkit, it was emphasized that while Impacket is a legitimate tool, it can also be exploited by attackers. Copilot included several simple examples to illustrate this:
Copilot for Security then highlighted a specific attack scenario, pointing out that Impacket can be used to carry out a DCSync attack. And, as the Tier 1 analyst, you have just confirmed that a DCSync attack is involved in the same security incident.
It's also worth mentioning that while using Copilot for Security, it captures the sequence of your prompts and responses in a session. A session is a distinct interaction period with Copilot for Security, during which Copilot retains the context of the conversation. This allows it to provide relevant answers to subsequent requests, ensuring that the conversation flows logically, and that each response builds upon the previous ones.
Persistence
As we proceed with the incident summary generated by Copilot for Security, the next security alert is a suspicious service creation event occurred during the persistence stage:
If you start examining this alert in the Microsoft Defender XDR portal, you will notice that Defender for Identity and Defender for Endpoint EDR all generated similar alerts, likely for the same suspicious event, as seen in the next screen capture:
Let’s first take a look at “suspicious service creation” alert triggered in Defender for Identity, as shown next:
The service path listed in the alert looks suspicious and it is encoded. Let's use the following prompt to consult Copilot and understand its purpose.
The next screen capture displays the response from Copilot for Security:
Copilot for Security provides a detailed breakdown of the service path. It identifies the encoded command as base64 encoding and decodes it for you. It then concludes with a summary: “this service path is used to execute the RenamePowershell.ps1 PowerShell script located in the C:\Scripts\ directory. The use of base64 encoding can often be a technique to obfuscate the actual command being run, which could be a sign of malicious activity.”
This information is helpful. Let's continue examining the other related security alerts. The “suspicious service registration” alert triggered in Defender for Endpoint likely pertains to the same suspicious activity that was just looked at. This alert provides a little bit more information and mentions “services.exe modified service image file”, as shown next.
Using the following prompt, let’s see what Copilot for Security can find out:
The screenshot shown next displays Copilot’s response.
Copilot’s findings for this “suspicious service registration” alert closely align with its analysis on the “suspicious service creation” alert triggered in Defender for Identity. This confirms the suspicion that the two alerts from different security solutions are both reporting the same malicious activity. However, because the Defender for Endpoint alert points out a "services.exe modified service image file" and this detail was included in the prompt, Copilot for Security can now provide additional insights in its analysis that weren't present in the previous report. You now have a clear picture of this malicious activity: the services.exe process has been set to run RenamePowershell.ps1 whenever the WDUAPJKVADPWOQLFGQSH service is started. For your reference, the following snippet is taken from Copilot's last response:
This example also highlights the importance of effective prompting. The more specific information you provide to Copilot, the more relevant and precise responses you’re likely to receive.
In addition, this example highlights the Microsoft Defender XDR's capability to integrate and correlate data across various Defender solutions. When different Defender tools detect the same malicious activity, they each generate separate alerts. Microsoft Defender XDR then aggregates these alerts into a unified incident. This correlation helps to provide a comprehensive view of the threat.
Credential Access
Let's review one more alert from the incident summary provided by Copilot for Security: suspicious credential access event involving an ADFS private key extraction:
You will use Copilot for Security to again get a better understanding of the alert. In the Microsoft Defender XDR portal, the device Timeline very often shows the events that led to the alert being triggered. For this security alert, the device event, "jyglecpm.1v0.exe ran an LDAP query", triggered the alert “ADFS private key extraction attempt”, as seen in the next screenshot. To further investigate this device event, one option is to utilize Copilot for Security to analyze the command line for jyglecpm.1v0.exe. You can perform this directly within the Microsoft Defender XDR portal leveraging the embedded experience of Copilot for Security. Alternatively, in standalone mode, you can paste the command line into the Copilot prompt and request for analysis.
As shown in the next screen capture, Copilot for Security offers a detailed analysis of the command line through its embedded experience.
From the Copilot analysis excerpt shown below, you can sense something isn’t right when jyglecpm.1v0.exe performed the LDAP query:
To further investigate, you can first get a sense of what are the normal LDAP operations by prompting Copilot with the following questions in its standalone experience:
The next screenshot displays the information provided back by Copilot:
Based on Copilot’s explanation, you quickly gain an understanding of LDAP and how it operates. LDAP queries are typically initiated by client applications or services that need to access data stored in a directory service. For instance, an email client might perform an LDAP query to retrieve the email addresses of users within an organization.
Now you may be wondering, why would an unfamiliar and rarely seen process like "jyglecpm.1v0.exe" need to run an LDAP query to access data in a directory service? It is especially suspicious with its encoded command line. Let’s continue to consult Copilot with the prompt shown in the next screenshot:
Copilot for Security, leveraging its vast amount of knowledge, comments: “The command line script you provided does not appear to be a normal LDAP operation. It executes …” The full response from Copilot is displayed in the next screen capture:
Without the assistance of Copilot for Security, determining whether a behavior is truly malicious can be time-consuming and labor-intensive. Traditional methods typically involve extensive manual research, multiple clicks, and complex navigation through various user interface elements. Analysts often need to sift through many data points and conduct in-depth analyses to assess the severity of threats, which can delay the identification of true risks.
However, with Copilot for Security, this process becomes significantly more efficient and straightforward. Analysts can quickly ask specific questions about suspicious behavior rather than spending extended periods researching online. By providing additional context and explanations directly within the platform, Copilot enables Tier 1 analysts to quickly understand the nature and severity of an incident. This instant clarity allows analysts to make informed decisions and determine whether escalation to Tier 2 or 3 teams is necessary, thus accelerating threat response and reducing the overall time spent on investigation.
Continue reading...
Let’s use a security incident in the Microsoft Defender XDR portal for our case study. As shown in the next screen capture, this high-severity incident involves three devices, four users and one email account. It consists of a correlation of 25 alerts generated by different Microsoft security solutions. This incident, titled 'Multi-stage incident involving Initial access & Lateral movement on multiple endpoints reported by multiple sources' appears complex, extensive, and intimidating.
As soon as you start examining this incident in the Microsoft Defender XDR portal, Copilot for Security is already present on the incident page, as shown in the next diagram. It automatically creates a summary of the incident, providing a clear overview of the attack. Additionally, it offers tailored guidance for responding to the incident through its Guided Response feature, which is also accessible on the incident page.
Rather than sifting through all 25 alerts in the incident to understand the attack, let’s review the summary provided by Copilot for Security first. You can copy the incident summary for further review using Copilot’s “Copy to clipboard” option. This feature is illustrated in the next screenshot.
For your reference, here is the full incident summary copied from Copilot:
The high severity incident 'Multi-stage incident involving Initial access & Lateral movement on multiple endpoints reported by multiple sources' occurred between 2024-08-06 17:15:43 UTC and 2024-08-11 00:01:42 UTC. It was tagged as Credential Phish and Lateral Movement.
- InitialAccess: The incident began at 2024-08-06 17:15:43 UTC when user 'kdickens' clicked on a malicious URL 'hxxps://fm06722326.mangodune-7572a721.eastus.azurecontainerapps.io/'.
- Discovery: At 2024-08-06 17:16:17 UTC, a suspicious sequence of exploration activities were detected on 'mb-winclient' (Windows 10), involving the processes 'whoami.exe', 'powershell.exe' (running as SYSTEM), and impacting users 'pgustavo' and 'kdickens'.
- DefenseEvasion: At 2024-08-06 17:16:20 UTC, a process was injected with potentially malicious code on 'mb-winclient' (Windows 10), involving the files 'ContosoADFSadmincreds.ps1', 'Midnight161.ps1', and impacting users 'pgustavo' and 'kdickens'.
- Execution: At 2024-08-06 17:16:20 UTC, a malicious PowerShell Cmdlet was invoked on 'mb-winclient' (Windows 10), involving the files 'ContosoADFSadmincreds.ps1', 'Midnight161.ps1', and impacting users 'pgustavo' and 'kdickens'.
- CredentialAccess: At 2024-08-06 17:17:07 UTC, a suspected DCSync attack (replication of directory services) was detected on 'mb-winclient' (Windows 10), impacting user 'pgustavo'.
- LateralMovement: At 2024-08-06 17:17:09 UTC, an ongoing hands-on-keyboard attack via Impacket toolkit was detected on 'mb-adfs' (Windows Server 2022), involving the processes 'lsass.exe' (running as SYSTEM), 'powershell.exe' (running as SYSTEM), and impacting users 'LocalSystem' and 'adfsadmin'.
- Persistence: At 2024-08-06 17:17:10 UTC, suspicious service creation was detected on 'mb-adfs' (Windows Server 2022), involving the process 'services.exe' (running as SYSTEM), and impacting user 'adfsadmin'.
- CredentialAccess: At 2024-08-06 17:18:20 UTC, an ADFS private key extraction attempt was detected on 'mb-adfs' (Windows Server 2022), impacting user 'adfsadmin'.
- DefenseEvasion: At 2024-08-11 00:01:42 UTC, an attempt to hide the use of a dual-purpose tool was detected on 'mb-adfs' (Windows Server 2022), involving the file 'jyglecpm.1v0.exe', and impacting user 'adfsadmin'.
As seen from the incident summary, Copilot for Security provides an overview of the incident that helps you to quickly understand the scope and impact of the attack. It groups the suspicious events into distinct attack stages, outlining the attack’s progression from initial access to lateral movement and persistent access. Each stage is detailed with specific timestamps and a concise summary of the events. In a typical investigation, the security analyst would need to create a similar incident outline manually. With Copilot, this process is now automated and much faster.
After reviewing the incident summary, it’s clear that this is a highly involved incident with multiple sophisticated attacks. As a Tier 1 analyst, your goal is to quickly assess the attacks, rule out the false positives, determine the impact of the incident, and decide whether it needs to be escalated. Let’s dive into some of the incident investigations and see how Copilot for Security can assist throughout the process.
Initial Access, Discovery, and Defense Evasion
The initial access occurs when the attacker gains entry into the target system or network. In this case, the attacker employs a common attack tactic by tricking the user to click on a malicious link, to establish the initial foothold within the user’s corporate network. The following excerpt is from the incident summary generated by Copilot.
InitialAccess: The incident began at 2024-08-06 17:15:43 UTC when user 'kdickens' clicked on a malicious URL 'hxxps://fm06722326.mangodune-7572a721.eastus.azurecontainerapps.io/'.
Once an attacker gains access to the corporate network, he/she needs to gather information about the environment. For instance, running the Windows process “whoami.exe” to gather details about the current user’s identity and environment. Executing “whoami /groups” shows the groups to which the current user belongs, revealing user’s access level and permissions within the system. This process is documented during the Discovery phase.
Discovery: At 2024-08-06 17:16:17 UTC, a suspicious sequence of exploration activities were detected on 'mb-winclient' (Windows 10), involving the processes 'whoami.exe', 'powershell.exe' (running as SYSTEM), and impacting users 'pgustavo' and 'kdickens'.
So far, the attack techniques encountered are standard and frequently observed. For a Tier 1 analyst, these techniques are familiar and well-known, making the investigation relatively simple.
However, starting from the Defense Evasion phase, things may get a bit tricky. You see a process injection event in the alert:
DefenseEvasion: At 2024-08-06 17:16:20 UTC, a process was injected with potentially malicious code on 'mb-winclient' (Windows 10), involving the files 'ContosoADFSadmincreds.ps1', 'Midnight161.ps1', and impacting users 'pgustavo' and 'kdickens'.
What might “a process was injected with potentially malicious code” indicate? What’s a process injection? Let’s consult with Copilot for Security.
You can switch from the embedded experience of Copilot to its standalone mode. This allows you to ask Copilot more questions using its prompt feature. In the Microsoft Defender XDR portal, you may have noticed that there is an ellipsis right inside the Copilot pane. It offers several options for you, including the one “Open in Copilot for Security”. Selecting this option enables you to switch from the Copilot’s embedded experience to its standalone mode. This is shown in the next screen capture.
The “Open in Copilot for Security” feature also allows you to continue your current Copilot session in the standalone experience, preserving any ongoing work or context from the embedded experience. In this standalone mode, you can use the prompt feature to ask additional questions or seek further information, as shown in the next screenshot:
Prompt to Copilot for Security: Can you tell me more about DefenseEvasion: a process was injected with potentially malicious code on 'mb-winclient' (Windows10), involving the files 'ContosoADFSadmincreds.ps1', 'Midnight161.ps1'
The response from Copilot provides an overview of process injection and its characteristics:
The term "process injection" typically refers to a technique used by attackers to execute arbitrary code in the address space of a separate live process. This technique improves the stealth and evasion capabilities of malware since the execution of the malicious code does not result in the creation of a new process, making it harder to detect.
The full Copilot response is displayed in the next screen capture:
The process injection overview may still be somewhat abstract. You can follow up with Copilot for a more detailed description using a prompt seen in the next screen capture.
The next diagram presents a portion of the response from Copilot for Security. With this response from Copilot, you have a better understanding of process injection.
The information from Copilot adds more context and insights for this alert, enabling you, the Tier 1 analyst, to start a more thorough investigation immediately.
Back to the Microsoft Defender XDR portal, analysts typically leverage the Defender for Endpoint Timeline feature to investigate the event that might have triggered the alert “A process was injected with potentially malicious code.” The next screenshot shows that in the Timeline, Defender XDR recorded a device event, “powershell.exe executed a script,”. This event led Defender for Endpoint to immediately detect and report “powershell.exe process contains suspicious patterns in AMSI content related to ‘Process Injection’ and other techniques.” This then leads to the triggering of the process injection alert.
Defender XDR also provides the detailed PowerShell process commands that you can ask Copilot to analyze, as shown in the next screen capture.
With Copilot’s information on process injection, and combining the details from the device events, especially that the PowerShell script was executed from the user’s downloads directory, it’s clear that this is likely a malicious attack rather than a false positive. The use of a more advanced technique of process injection suggests that this case should be escalated to the Tier 2 team for further investigation.
In Defender XDR’s Timeline feature, security analysts typically review device events that occurred around the time the security alert was triggered to identify any additional malicious activity. This process is both time-consuming and labor-intensive. But now Copilot for Security can handle the heavy lifting for you. Let’s return to the Copilot standalone environment and use its prompt feature to accomplish this.
The prompt seen in the next screenshot instructs Copilot for Security to use a Defender KQL query to retrieve all device process events from around the time of the process injection activity. It then asks Copilot to analyze these events for any signs of suspicious activity.
As shown in the next screen capture, Copilot has flagged a few events that are worth investigating further.
You can ask Copilot for Security to further investigate these events with additional prompts in Copilot’s standalone experience.
This investigation may take some time to finish. However, as a Tier 1 analyst, you have concluded that these are likely malicious events involving sophisticated attack techniques. The Tier 2 team will need to carry out a more in-depth investigation. In the meantime, you can move on to the next set of security alerts.
Credential Access
In the incident summary, Copilot for Security also mentions a suspected DCSync attack as part of Credential Access activity:
CredentialAccess: At 2024-08-06 17:17:07 UTC, a suspected DCSync attack (replication of directory services) was detected on 'mb-winclient' (Windows 10), impacting user 'pgustavo'.
What is a DCSync attack? Rather than spending a lot of time researching it online, you can leverage Copilot for Security’s standalone experience to quickly get an idea of what it is and how it works.
Prompt to Copilot for Security: In your incident summary, you mentioned that "At 2024-08-06 17:17:07 UTC, a suspected DCSync attack (replication of directory services) was detected on 'mb-winclient' (Windows 10), impacting user 'pgustavo'." What's a DCSync attack? Can you provide its TTPs?
The next screenshot displays the question you can ask Copilot, along with some of its responses.
Copilot for Security first provides an overview of the DCSync attack with some specific examples. It then walks you through the steps involved in a typical DCSync attack, as seen in the next snapshot.
After reviewing the information provided by Copilot for Security, you should have a better understanding of the key aspects of a DCSync attack and how it operates. If there are more questions or if further clarification is needed, you can always use Copilot’s prompt feature to gain additional insights.
Once you have a solid understanding of the DCSync attack, you can apply this knowledge to assist the security incident investigation. Back in the Defender XDR portal, when you examine the alert story for the “suspected DCSync attack” alert, you’ll likely notice something is off when the end user sends a replication request to a domain controller, as seen in the screen capture.
You can confirm your suspicion with Copilot by entering the following prompt in Copilot’s standalone mode:
Is it common for a regular user on a Windows 10 device to send a replication request to a DC?
As seen in the next screen capture, Copilot for Security confirms that “it is not common for a regular user on a Windows 10 device to send a replication request to a Domain Controller (DC). In a typical Active Directory environment, only Domain Controllers replicate data amongst themselves.”
At this point, you likely can confirm this is a true security incident, not a false positive. Given the nature of the attack, it will require further investigation by the Tier 2 team.
Without the help from Copilot for Security, researching and confirming whether suspicious behavior is truly malicious can be time-consuming and labor-intensive. However, with Copilot for Security, it is faster and more straightforward to confirm malicious activities. Additionally, its provided explanations offer more context, helping the Tier 1 analyst to assess the impact and severity of the incident. This enables the analyst to quickly decide if the incident needs to be escalated to the Tier 2 team or not.
Lateral Movement
In this same security incident, there is an alert for “an ongoing hands-on-keyboard attack via Impacket toolkit”:
LateralMovement: At 2024-08-06 17:17:09 UTC, an ongoing hands-on-keyboard attack via Impacket toolkit was detected on 'mb-adfs' (Windows Server 2022), involving the processes 'lsass.exe' (running as SYSTEM), 'powershell.exe' (running as SYSTEM), and impacting users 'LocalSystem' and 'adfsadmin'.
While the description of the Impacket toolkit in the Microsoft Defender XDR portal is helpful, but for more detailed insight, you can turn to Copilot for Security’s standalone experience and ask:
Can you tell me more about the Impacket tool? Where is it used most often? How is it exploited by attackers?
Copilot provides a more thorough description of this toolkit:
It’s worth noting that in Copilot’s description of the toolkit, it was emphasized that while Impacket is a legitimate tool, it can also be exploited by attackers. Copilot included several simple examples to illustrate this:
While Impacket is a legitimate tool with many valid uses, it can also be exploited by attackers due to its powerful capabilities. For example, attackers can use Impacket to move laterally across a network, execute commands on remote systems, or extract sensitive information such as password hashes.
Copilot for Security then highlighted a specific attack scenario, pointing out that Impacket can be used to carry out a DCSync attack. And, as the Tier 1 analyst, you have just confirmed that a DCSync attack is involved in the same security incident.
It's also worth mentioning that while using Copilot for Security, it captures the sequence of your prompts and responses in a session. A session is a distinct interaction period with Copilot for Security, during which Copilot retains the context of the conversation. This allows it to provide relevant answers to subsequent requests, ensuring that the conversation flows logically, and that each response builds upon the previous ones.
Persistence
As we proceed with the incident summary generated by Copilot for Security, the next security alert is a suspicious service creation event occurred during the persistence stage:
Persistence: At 2024-08-06 17:17:10 UTC, suspicious service creation was detected on 'mb-adfs' (Windows Server 2022), involving the process 'services.exe' (running as SYSTEM), and impacting user 'adfsadmin'.
If you start examining this alert in the Microsoft Defender XDR portal, you will notice that Defender for Identity and Defender for Endpoint EDR all generated similar alerts, likely for the same suspicious event, as seen in the next screen capture:
Let’s first take a look at “suspicious service creation” alert triggered in Defender for Identity, as shown next:
The service path listed in the alert looks suspicious and it is encoded. Let's use the following prompt to consult Copilot and understand its purpose.
Can you decode then tell me more about this service path: %COMSPEC% /C “powershell.exe -EncodedCommand QwA6AFwAUwBjAHIAaQBwAHQAcwBcAFIAZQBuAGEAbQBlAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBwAHMAMQA=”
The next screen capture displays the response from Copilot for Security:
Copilot for Security provides a detailed breakdown of the service path. It identifies the encoded command as base64 encoding and decodes it for you. It then concludes with a summary: “this service path is used to execute the RenamePowershell.ps1 PowerShell script located in the C:\Scripts\ directory. The use of base64 encoding can often be a technique to obfuscate the actual command being run, which could be a sign of malicious activity.”
This information is helpful. Let's continue examining the other related security alerts. The “suspicious service registration” alert triggered in Defender for Endpoint likely pertains to the same suspicious activity that was just looked at. This alert provides a little bit more information and mentions “services.exe modified service image file”, as shown next.
Using the following prompt, let’s see what Copilot for Security can find out:
Can you explain in more detail about the following event: services.exe modified service image file from to %COMSPEC% /C "powershell.exe -EncodedCommand QwA6AFwAUwBjAHIAaQBwAHQAcwBcAFIAZQBuAGEAbQBlAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBwAHMAMQA=" for service WDUAPJKVADPWOQLFGQSH
The screenshot shown next displays Copilot’s response.
Copilot’s findings for this “suspicious service registration” alert closely align with its analysis on the “suspicious service creation” alert triggered in Defender for Identity. This confirms the suspicion that the two alerts from different security solutions are both reporting the same malicious activity. However, because the Defender for Endpoint alert points out a "services.exe modified service image file" and this detail was included in the prompt, Copilot for Security can now provide additional insights in its analysis that weren't present in the previous report. You now have a clear picture of this malicious activity: the services.exe process has been set to run RenamePowershell.ps1 whenever the WDUAPJKVADPWOQLFGQSH service is started. For your reference, the following snippet is taken from Copilot's last response:
It's worth noting that changes to service image file paths, especially those involving scripts or unusual locations, can be a sign of malicious activity. In this case, the services.exe process has been instructed to launch a PowerShell script whenever the WDUAPJKVADPWOQLFGQSH service is started, which is unusual behavior and could potentially be malicious.
This example also highlights the importance of effective prompting. The more specific information you provide to Copilot, the more relevant and precise responses you’re likely to receive.
In addition, this example highlights the Microsoft Defender XDR's capability to integrate and correlate data across various Defender solutions. When different Defender tools detect the same malicious activity, they each generate separate alerts. Microsoft Defender XDR then aggregates these alerts into a unified incident. This correlation helps to provide a comprehensive view of the threat.
Credential Access
Let's review one more alert from the incident summary provided by Copilot for Security: suspicious credential access event involving an ADFS private key extraction:
CredentialAccess: At 2024-08-06 17:18:20 UTC, an ADFS private key extraction attempt was detected on 'mb-adfs' (Windows Server 2022), impacting user 'adfsadmin'.
You will use Copilot for Security to again get a better understanding of the alert. In the Microsoft Defender XDR portal, the device Timeline very often shows the events that led to the alert being triggered. For this security alert, the device event, "jyglecpm.1v0.exe ran an LDAP query", triggered the alert “ADFS private key extraction attempt”, as seen in the next screenshot. To further investigate this device event, one option is to utilize Copilot for Security to analyze the command line for jyglecpm.1v0.exe. You can perform this directly within the Microsoft Defender XDR portal leveraging the embedded experience of Copilot for Security. Alternatively, in standalone mode, you can paste the command line into the Copilot prompt and request for analysis.
As shown in the next screen capture, Copilot for Security offers a detailed analysis of the command line through its embedded experience.
From the Copilot analysis excerpt shown below, you can sense something isn’t right when jyglecpm.1v0.exe performed the LDAP query:
The provided command line script executes a file named "jyglecpm.1v0.exe" in a hidden window. It then uses the '-encodedCommand' parameter to run a base64-encoded command. The base64 string decodes to a PowerShell script located at 'C:\Scripts\ExportADFSTokenSigningCert.ps1'. This suggests that the script is likely used to execute a hidden process and then run a PowerShell script, possibly for malicious purposes.
To further investigate, you can first get a sense of what are the normal LDAP operations by prompting Copilot with the following questions in its standalone experience:
The next screenshot displays the information provided back by Copilot:
Based on Copilot’s explanation, you quickly gain an understanding of LDAP and how it operates. LDAP queries are typically initiated by client applications or services that need to access data stored in a directory service. For instance, an email client might perform an LDAP query to retrieve the email addresses of users within an organization.
Now you may be wondering, why would an unfamiliar and rarely seen process like "jyglecpm.1v0.exe" need to run an LDAP query to access data in a directory service? It is especially suspicious with its encoded command line. Let’s continue to consult Copilot with the prompt shown in the next screenshot:
Copilot for Security, leveraging its vast amount of knowledge, comments: “The command line script you provided does not appear to be a normal LDAP operation. It executes …” The full response from Copilot is displayed in the next screen capture:
Without the assistance of Copilot for Security, determining whether a behavior is truly malicious can be time-consuming and labor-intensive. Traditional methods typically involve extensive manual research, multiple clicks, and complex navigation through various user interface elements. Analysts often need to sift through many data points and conduct in-depth analyses to assess the severity of threats, which can delay the identification of true risks.
However, with Copilot for Security, this process becomes significantly more efficient and straightforward. Analysts can quickly ask specific questions about suspicious behavior rather than spending extended periods researching online. By providing additional context and explanations directly within the platform, Copilot enables Tier 1 analysts to quickly understand the nature and severity of an incident. This instant clarity allows analysts to make informed decisions and determine whether escalation to Tier 2 or 3 teams is necessary, thus accelerating threat response and reducing the overall time spent on investigation.
Continue reading...